CISA warns of exploited Linux kernel flaw
Take action: This is not a panic mode flaw, but if an attacker manages to gain access to the linux they can escalate privileges. Plan for an update in your regular patching process, or implement the mitigating measures (which are not that great).
Learn More
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of exploited vulnerability in Linux.
The flaw is a kernel Privilege Elevation Vulnerability, tracked as CVE-2024-1086 (CVSS score 7.8) - a use-after-free issue found in the netfilter: nf_tables component of the Linux kernel.
Local attackers can exploit this flaw to escalate privileges, potentially achieving root-level access on the affected systems.
The vulnerability was fixed through a commit in January 2024, which rejects QUEUE/DROP verdict parameters to prevent exploitation.
- The fix has been backported to several stable kernel versions:
- v5.4.269 and later
- v5.10.210 and later
- v6.6.15 and later
- v4.19.307 and later
- v6.1.76 and later
- v5.15.149 and later
- v6.7.3 and later
In March 2024, a security researcher known as 'Notselwyn' published a detailed write-up and a proof-of-concept (PoC) exploit on GitHub, demonstrating local privilege escalation on Linux kernel versions between 5.14 and 6.6.
Although most Linux distributions deployed fixes promptly, Red Hat delayed until March, potentially allowing threat actors to exploit the public PoC on vulnerable systems. CISA has mandated that federal agencies apply the patches by June 20, 2024.
Mitigation Measures for Non-updatable Systems
- Blocklist 'nf_tables' if not needed or actively used.
- Restrict access to user namespaces to minimize the attack surface.
- Load the Linux Kernel Runtime Guard (LKRG) module (noting potential instability).
